Threat Modeling w. Adam Shostack

https://is1-ssl.mzstatic.com/image/thumb/Podcasts221/v4/0c/88/f9/0c88f9cc-794f-fb7d-c7eb-d13f6da2bbe7/mza_149107391505402747.jpg/600x600bb.jpg

Inside MedTech Innovation

Shannon Lantzy

35 episodes

6 days ago

Join Shannon Lantzy, as she brings you stories from inside the medtech ecosystem, featuring innovators, commercializers, regulators, and consumers. The show covers a wide array of topics, from patient-driven innovation to cybersecurity. We’ll examine the details that influence individual regulatory decisions and the broader impacts of emerging global issues, ensuring that great technology reaches the people who need it most.

Technology

RSS

All content for Inside MedTech Innovation is the property of Shannon Lantzy and is served directly from their servers with no modification, redirects, or rehosting. The podcast is not affiliated with or endorsed by Podjoint in any way.

Technology

https://d3t3ozftmdmh3i.cloudfront.net/staging/podcast_uploaded_episode/41769498/41769498-1758779864356-5bf3e06afd022.jpg

Threat Modeling w. Adam Shostack

Inside MedTech Innovation

1 hour 3 minutes 3 seconds

3 months ago

Threat Modeling w. Adam Shostack

What does it take to transform cybersecurity from reactive patch management to proactive secure design? Adam Shostack, the world's leading expert on threat modeling, takes us inside Microsoft during its pivotal security transformation in the early 2000s and reveals how those lessons shaped FDA's approach to medical device cybersecurity today.

From the auto-run vulnerability that infected millions of computers monthly to creating the STRIDE methodology now used worldwide, Adam shares the origin stories behind fundamental cybersecurity practices. He explains how threat modeling evolved from expert-driven whiteboard sessions to systematic, scalable processes that any engineering team can implement.

Shannon and Adam explore the critical difference between risk management and threat modeling in design, why "pouring concrete and then wondering about properties" fails in cybersecurity, and how FDA's pre-market guidance ensures patient safety while fostering innovation. They dive deep into the four key questions every threat modeler must answer and why starting threat modeling with a simple napkin sketch can prevent costly architectural changes later.

Key Topics:

Microsoft's trustworthy computing transformation and lessons learned
The invention and evolution of STRIDE methodology for systematic threat analysis
How FDA adopted threat modeling for medical device cybersecurity regulation
The fundamental difference between threat modeling and risk management
Why current approaches to software understanding and composition analysis fall short
Practical advice for scaling threat modeling across organizations
The future of threat modeling with AI assistance

Timestamps:

[00:00] Microsoft's security crisis and transformation

[07:03] The auto-run story and data-driven decision making

[14:10] Birth of scalable threat modeling and STRIDE methodology

[23:43] FDA's systematic approach to adopting threat modeling

[32:41] Engineering fundamentals vs. risk management in cybersecurity

[42:49] The software understanding problem and why it's so hard

[55:20] Innovation vs. regulation balance in different industries

[57:21] Rapid fire: Current projects, heroes, and startup advice

[1:02:05] Scaling threat modeling and AI integration

Connect with Shannon:

LinkedIn: https://www.linkedin.com/in/shannonlantzy/ Website: https://www.shannonlantzy.com/

Connect with Adam:

Website: shostack.org

Books: "Threat Modeling: Designing for Security" and "Threats: What Every Engineer Should Learn from Star Wars"